FreePBX | Register | Issues | Wiki | Portal | Support

Firewall not detecting obvious hacking


#1

Here is a common example:

[2019-01-02 22:19:40] SECURITY[13452] res_security_log.c: SecurityEvent="FailedACL",EventTV="2019-01-02T22:19:40.659-0500",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="dFh7t2Rb2Rz7g4UY3VZCVQ..",LocalAddress="IPV4/TLS/10.0.10.15/5061",RemoteAddress="IPV4/TLS/46.166.151.160/50145",ACLName="registrar_attempt_without_configured_aors"

The problem appears to be that /etc/fail2ban/filter.d/asterisk.conf is missing the TLS selector in both the LocalAddress and RemoteAddress.

^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS|WSS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS|WSS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$

(Nate) #2

Seems like an easy fix. Have you already created a bug report?

http://issues.freepbx.org/


#3

did now.


(Tom Ray) #4

This is in no way a Firewall issue. Fail2ban is not the Firewall. They are two completely different things.

This was a block due to it being anonymous that has nothing to do with it being TLS or not TLS. As well fail2ban will only block things once they have done X in Y time. It is not a firewall in a preventive manner. It waits for something bad to happen and then it does stuff.

The actually System Firewall would be a completely different beast and it is Deny All by default. Are you running the System Firewall?


#5

I think you misunderstand, there was NO block. That’s the problem. And I updated the fail2ban rule myself to detect TLS and it works. Yes the firewall is enabled.

My expectation is that a security event like this will trigger a ban on that ip address. That works now that I added the TLS selector to the rule.


(system) #6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.